以下代码可以很好地为我获取32位进程的命令行字符串,从32位应用程序获取64位进程,从64位应用程序获取32位进程。如果我尝试从32位应用程序使用64位进程,则会出现错误,原因是PROCESS_BASIC_INFORMATION和地址大小中的结构体大小差异。所以这是我的问题 -
1)在process hacker中提供的建议(http://processhacker.sourceforge.net/forums/viewtopic.php?f=15&t=181)使用wow64函数似乎无法工作,并显示以下错误 -
NtWow64ReadVirtualMemory64 error: 8000000D while reading ProcessParameters address from A68291A0004028E0
有人尝试过并成功获取信息吗?我在他们的论坛上发布了同样的问题,询问他们的意见。
2)是否有其他方法来查询peb信息,可以可靠地适用于x86和x64?
1)在process hacker中提供的建议(http://processhacker.sourceforge.net/forums/viewtopic.php?f=15&t=181)使用wow64函数似乎无法工作,并显示以下错误 -
NtWow64ReadVirtualMemory64 error: 8000000D while reading ProcessParameters address from A68291A0004028E0
有人尝试过并成功获取信息吗?我在他们的论坛上发布了同样的问题,询问他们的意见。
2)是否有其他方法来查询peb信息,可以可靠地适用于x86和x64?
int get_cmdline_from_pid( DWORD dwPid, char** cmdLine )
{
DWORD dw, read;
HANDLE hProcess;
NtQueryInformationProcess* pNtQip;
PROCESS_BASIC_INFORMATION pbInfo;
UNICODE_STRING cmdline;
WCHAR* wcmdLine;
*cmdLine = NULL;
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPid );
if( !hProcess )
return FALSE;
pNtQip = (NtQueryInformationProcess*) GetProcAddress(GetModuleHandle("ntdll.dll"),
"NtQueryInformationProcess");
if(!pNtQip)
return FALSE;
pNtQip(hProcess, PROCESSBASICINFOMATION, &pbInfo, sizeof(pbInfo), NULL);
#ifdef _WIN64
ReadProcessMemory(hProcess, pbInfo.PebBaseAddress + 0x20, &dw, sizeof(dw),
&read);
#else
ReadProcessMemory(hProcess, pbInfo.PebBaseAddress + 0x10, &dw, sizeof(dw),
&read);
#endif
#ifdef _WIN64
ReadProcessMemory(hProcess, (PCHAR)dw+112, &cmdline, sizeof(cmdline), &read);
#else
ReadProcessMemory(hProcess, (PCHAR)dw+64, &cmdline, sizeof(cmdline), &read);
#endif
wcmdLine = (WCHAR *)malloc(sizeof(char)*(cmdline.Length + 2));
if( !wcmdLine )
return FALSE;
ReadProcessMemory(hProcess, (PVOID)cmdline.Buffer, wcmdLine,
cmdline.Length+2, &read);
*cmdLine = mmwin32_util_widetoansi(wcmdLine);
free(wcmdLine);
CloseHandle(hProcess);
return TRUE;
}